What does patching have to do with compliance management
1 / 30

What Does Patching have to do with Compliance Management - PowerPoint PPT Presentation

  • Uploaded on

What Does Patching have to do with Compliance Management. Michael J Wiser CISSP Vice President Citadel Security Software Inc. www.citadel.com/2minutebroadcast. Patching and Compliance Management. What Does Patching have to do with Compliance Management

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'What Does Patching have to do with Compliance Management' - grover

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
What does patching have to do with compliance management

What Does Patching have to do with Compliance Management

Michael J Wiser CISSP

Vice President

Citadel Security Software Inc.


Patching and compliance management
Patching and Compliance Management

What Does Patching have to do with

Compliance Management

Typically about 25% to 35% of policy can be achieved through Patching

Customer ” S “ 28% compliant with a

patching solution deployed

Customer ” S “ 95% compliant with a

EVM solution deployed

The real issue
The Real Issue

  • Today’s currency is bits, not gold

    • No gold bullion in the vault

      • “cloud of electrons at the right place at the right time”

    • Money is represented electronically

      • Trillions of e-$ flow through nations daily

  • BUT: Many executives do not understand or recognize the importance of their information systems and the threats that exist, and therefore do not invest in the security of these systems.


So many ways to be attacked:

  • Physical Penetrations

  • Company Profiling – Open Source Research

  • Footprinting – Scanning – Enumeration

  • Penetration –

  • Escalate Privilege – Stealing/Damaging Corp. information

  • Trojans – remote controlling systems

  • Buffer Overflows

  • Port Redirection of Packets

  • Zone Transfers

  • SNMP Sweeps

  • Router Exploitation

  • Key Loggers – Software and Hardware devices

  • Denial of Service

  • ARP/DNS Poisoning

Some more numbers
Some More Numbers

  • General Internet attack trends are showing a 64% annual rate of growth

    • Symantec

  • The average company experiences 32 cyber-attacks per week

    • Checkpoint

  • The average measurable cost of a serious security incident in Q1/Q2 2004 was approximately $500,000

    • UK Dept of Trade & Industry

  • Identify theft related personal information is selling for $500-$1000 per record

    • CFE Resource

  • Average of 79 new vulnerabilities per week in 2004!!

    • eEye Digital Security

And they re getting better
And They’re Getting Better

More vulnerabilities = higher likelihood of attack

Faster attacks = less time to react

What we see
What We See

  • Rapidly increasing threats and vulnerabilities

  • Rapidly decreasing time to exploit

  • No corresponding increase in IT resources


CERT/CC, Microsoft, SANS

Issues leading to compromise
Issues Leading to Compromise

How do they do it?

  • Out of Date Systems

    • Systems and applications are not at the latest patch levels

  • Configuration Issues

    • What may be (somewhat) safe on a LAN is not safe on the Internet

  • Poor Password Choice

    • Remote administration or support access tends to be designed to make it easy to support, but also hack into

  • Lack of Security Controls

    • Firewalls, Intrusion Detection Systems, Encryption, 2-Factor Authentication are not present

  • Application Coding Problems

    • Lack of thorough testing leaves many flaws in web based applications such as:

      • URL/Directory permissions

      • SQL Injections

      • URL Manipulation

      • Session Issues


How do they find these problems?

  • Scanning, Scanning and More Scanning

    • Port Scanners

    • Vulnerability Scanners

    • Web Application Scanners

  • Trial and Error

    • Attackers have unlimited amounts of time and resources

  • Publish and Share

    • Attackers often find issues with sites and then publish their techniques to obscure locations (chat rooms, foreign language hacker forums, etc.)

Case study 1 pos environment
Case Study 1: POS Environment


Retail Store




Case study 1 timeline of events
Case Study 1: Timeline of Events

Monday November 8th 2004

  • 2:07 PM – Attacker named Мальчик begins scanning a network block known to be used by a US based ISP for its business DSL connections.

  • 3:14 PM – Мальчик finds a system with a Windows share open with full read/write permissions.

  • 3:23 PM – Мальчик mounts share on his system and begins to search for cardholder data using automated tools.

  • 4:05 PM – The system is found to contain several thousand card numbers and corresponding track data. Last transaction was at 4:03 PM. Мальчик realizes that this must be a POS system and knows he struck gold today.

  • 4:07 PM – Мальчик begins to copy all files containing cardholder data.

Case study 1 timeline of events cont d
Case Study 1: Timeline of Events (Cont’d)

Wednesday November 10th 2004

  • 1:11 AM – Мальчик returns to install an agent that each day will ZIP up all new transactions and HTTP post them to http://sneety02.devotchka7.ru

  • 2:51 AM – Мальчик runs the agent to test to ensure it work. 15,892 transactions were posted to his group’s site.

  • Future Work

    • Мальчик and his group will begin to emboss and sell “real” cards from this and future posts to his site.

    • If the street price for a “real” card is about $160 USD – They made about $2.5 million USD from the first harvest from this site.

  • Case study 2 ecommerce sites
    Case Study 2: eCommerce Sites


    Web Hosting ISP




    Case study 2 timeline of events
    Case Study 2: Timeline of Events

    Thursday October 28th 2004

    • 11:40 AM – A hacking group by the name of L-Crew who had been scanning a large segment of the Internet for open database servers. They noticed that TCP port 3306 was open on a server and that they were able to execute queries against the database.

    • Note: This site is hosted at an Internet Hosting Provider that leverages a shopping cart driven by a backend database shared by all hosted customers.

    Case study 2 timeline of events1
    Case Study 2: Timeline of Events

    Friday October 29th 2004

    • 2:29 AM – The L-Crew has been exploring the database for about 14 hours and discovered that they can query a table containing the username and password hashes for the shopping cart administrator accounts that each merchant uses.

    • 3:45 AM – The L-Crew downloaded a dump of the user table to their local system. They noticed on the main website for the hosting provider that a merchant can set up a demo shopping cart account. They created an account through the registration process.

    • 3:52 AM – After registering they are asked to pick a password for their account. They are told that the password can not be greater than 7 characters and must not contain numbers or symbols.

    Case study 2 timeline of events cont d
    Case Study 2: Timeline of Events (Cont’d)

    • Friday October 29th 2004 (Cont’d)

      • 4:10 AM – Using the information gathered during the registration process the L-Crew took the password hashes and began to attempt to crack them. Since they knew the “rules” that were applied to the password creation they were greatly able to narrow their cracking efforts.

      • 5:56 AM – The L-Crew had successfully cracked all 587 passwords, including the global administrator account used to set up custom fields and other environment specific shopping cart settings.

      • 7:14 AM – The L-Crew, using the global administrator account, modified the shopping cart to HTTP post a copy of each transaction (including CC#, Exp, CVV2/CID) from every merchant to another site they compromised located at http://visty45.miaku.co.jp

      • 8:23 AM – The L-Crew has gather over 1000 transactions on their site and decides to write a script on site receiving the transactions to batch these up each hour and e-mail them to 20 different “free mail” accounts.

    Case study 2 timeline of events cont d1
    Case Study 2: Timeline of Events (Cont’d)

    Saturday October 30th 2004

    • 9:22 AM – John Smith purchased a book from ACME Books’ website. This site is hosted at the Internet Hosting Provider that was compromised by the L-Crew.

    • 11:46 AM – The L-Crew has gathered about over 14,000 transactions (including John Smith’s) and has begun sorting and packaging them for resale.

    • If the street price for just cardholder information (no magnetic stripe) is about $10 – They will make about $140,000 USD for a little more than 24 hours of work.

    Challenges business and government mandates
    Challenges: Business and Government Mandates

    The Computer Security Institute (CSI) reported over $141 billion damage from security incidents in the US in 2004.

    - 2004 CSI/FBI Computer Crime and Security Survey

    • FDIC

    • CA1386

    • HIPAA

    • Sarbanes-Oxley

    • Gramm-Leach-Bliley

    • Protect Business Assets

    • Protect Business Reputation

    • PaymentCardIndustryData Security Standard

    • Securities&ExchangeCommission

    • Federal TradeCommission

    • Clinger-Cohen Act

    • PresidentialDecisionDirective 63

    • Government InformationSecurityReformAct (GISRA)

    • FederalInformation SecurityManagementAct (FISMA)

    Facing the challenge shifting from documenting to enforcing

    • Audit Corporate Security Policy

    • Assessment Scanners:

      • Unsecured Accounts

      • Unnecessary Services

      • Backdoors

      • Mis-configurations

      • Software Defects

    • Threat Management

    • Enforce CorporateSecurity Policy

    • Remediate Vulnerabilities

    • Manage Disconnected Users

    • Apply Policy Templates

    • Compliance and Validation Checking

    • Reporting

    Facing The Challenge: Shifting From Documenting To Enforcing

    Past Practices

    Current Practice

    Best Practice



    Compliance Management

    • Okay, for your Desktops and Servers what is it?

    • Is it patch management?

    • Is it configuration management?

    • Is it Vulnerability Assessment scanning?

    So it s about patching
    So It‘s About Patching?

    • Well, no.

    • 90 to 95% of all network attacks target vulnerabilities for which there was an existing mitigation or repair.

      FBI, SANS, Gartner, Carnegie-Mellon

    • Software defects patching accounts for less than 35% of the known network/system vulnerabilities

      • The balance are “configuration” related

        • Weak, default or nonexistent passwords

        • Improperly configured software (OS, browser, email, ….)

        • Unnecessary services/open ports

        • Unauthorized/poor software (Peer-to-peer, Instant messaging)

    Five classes of vulnerabilities

    Unsecured Accounts

    Null Password, Admin no PW, no PW expiration…

    Unnecessary Services

    VNC, PCAnywhere, KaZaa, Telnet . . .


    Spyware (KaZaa, DownloadWare, 180 Solutions, GAIN), MyDoom.A, BACKORIFICE, SUBSEVEN . . .


    Netbios shares, Anonymous FTP world r/w, hosts.equiv . . .

    Software Defects (Missing Patches)

    Buffer overruns, RPC-DCOM, SQL Injection . . .

    Vulnerability: A weakness in process, administration or technology that can be exploited to compromise IT security – Gartner

    Five Classes of Vulnerabilities

    What we see1
    What We See

    • Rapidly increasing threats and vulnerabilities

    • Rapidly decreasing time to exploit

    • No corresponding increase in IT resources


    CERT/CC, Microsoft, SANS

    Approaches to reducing it security risk
    Approaches to Reducing IT Security Risk


    • Define asset baseline

    • Define security baseline

    • Enforce IT security config


    • Assess vulnerability state

    • Remediate detected vulnerabilities


    • New, critical vulnerabilities

    • Key assets

    Check Compliance or

    Enforce Policy

    Scan Validate


    Near Day Mitigation

    What needs to be achieved
    What needs to be achieved

    • IT Security Compliance

      Continuous IT security policy enforcement

    • Reduced IT Security Risk

      Proactive elimination of vulnerabilities

    • Minimized Business Disruptions

      Consistent enterprise remediation

    • Thorough reporting on Security posture

      Document compliance to policy

    • Improved Utilization of Resources

      Automation and integration

    Michael j wiser cissp vice president citadel security software inc 214 520 9292

    Security In the News

    The Internet Threat Regulator

    The Internet Traffic Report

    The Virus, Worm and Trojan Report

    And the Vulnerability Report


    Michael J Wiser CISSP

    Vice President

    Citadel Security Software Inc.